Legal Team
+44 (0)1235 778 577
legal@diamond.ac.uk
Diamond is committed to protecting the privacy and Personal Data of all Diamond Associates and adhering to best practices in complying with Data Protection Laws.
Diamond is the Data Controller and is responsible for Personal Data that any Diamond Associate shares with it. This notice aims to provide information on how Diamond Processes Personal Data of Diamond Associates that interact with Diamond, such as by (but not exclusive to):
Diamond recognises the particular importance of protecting privacy where children are involved. In the normal course of our business, Diamond does not collect Personal Data from children under the age of 13. In the very limited circumstances where we may need to collect Personal Data of children under the age of 13 (for a special event for example), we will collect the Personal Data from the child’s parent or guardian.
Diamond’s website may include links to third-party websites, plug-ins and applications. Diamond does not control these third-party websites (which are outside the scope of this privacy notice) and is not responsible for any such third-party privacy statement. Where Diamond Associates click on third party website links or enable plug-ins or applications, they may allow parties to collect or share Data about them.
Diamond typically collects Personal Data when Diamond Associates, or the organisation that a Diamond Associate represents, provides it to Diamond.
Diamond may also collect information about criminal convictions when Diamond Associates, or the organisation that a Diamond Associate represents, provides it to Diamond.
Diamond uses different methods to collect Data from Diamond Associates, for example Diamond would normally collect Personal Data directly when they:
In certain instances, Diamond may receive Personal Data of a Diamond Associate from a third party. For example, Diamond may receive:
Diamond Processes Personal Data so far as is necessary to pursue legitimate interests as a research facility, a facilities provider, an employer, in pursuance of Diamond’s not-for-profit objectives, and in respect of facilitating Diamond’s relationship with, and commitment to, Diamond Associates.
The types of Data that Diamond may collect and the purpose for which Diamond collects that Data are set out below.
5.1 Diamond Visitors
5.1.1 Types of Data that may be collected:
5.1.2 Diamond’s Purpose(s) for using the Data:
5.2 Diamond Users
5.2.1 Types of Data that may be collected:
5.2.1.1 When Diamond Users wish to use Diamond’s facilities or register in the UAS:
5.2.1.2 When Diamond Users submit a proposal:
5.2.1.3 When Diamond Users are awarded laboratory or instrument time:
5.2.2 Diamond’s purpose(s) for using the Data:
5.2.2.1 When Diamond Users wish to use Diamond’s facilities or register in the UAS:
5.2.2.2 When Diamond Users submit a proposal:
5.2.2.3 When Diamond Users are awarded laboratory or instrument time:
5.3 Diamond Employees, prospective Diamond Employees, Diamond Personnel, prospective Diamond Personnel, Diamond Collaborators and prospective Diamond Collaborators
5.3.1 Types of Data that may be collected:
5.3.2 Diamond’s purpose(s) for using the Data:
5.4 Diamond Committee Members and Diamond Peer Reviewers
5.4.1 Types of Data that may be collected:
5.4.2 Diamond’s purpose(s) for using the Data:
5.5 Thermometry Test Recipient and Covid-19 Test Recipients
As a result of the Covid-19 pandemic, Diamond has put in place additional measures (which include thermometry, lateral flow and polymerase chain reaction testing) to ensure the health and safety of all those that physically visit Diamond.
Diamond also operates an internal track and trace procedure for those that have attended site and tested positive for Covid-19 (either via an external test provider such as the NHS, or via Diamond’s lateral flow or polymerase chain reaction testing). Diamond is cooperating with third parties and with Public Health England in particular in relation to its requirement to report Covid-19 test results in order to protect the health and safety of others. These measures require Diamond to Process Personal Data.
5.5.1 Types of Data that may be collected:
5.5.2 Diamond’s purpose(s) for using the Data:
Diamond will keep Personal Data that is provided to it by Diamond Associates for as long as is necessary to fulfil the purposes for which Diamond has collected it. This may mean that Diamond retains a Diamond Associate’s Personal Data for a period of time (typically up to seven years) after they have ceased to have a relationship with Diamond, where this is necessary for Diamond to satisfy a legal, accounting or reporting requirement. In the case of Diamond Committee Members and Diamond Peer Reviewers, Diamond may keep a record of their Personal Data indefinitely, for the purpose of ensuring that Diamond does not ask persons to join a Diamond Committee or Diamond Peer Review Panel that have historically refused or been unable to join.
In determining the appropriate period of time for retaining Personal Data, Diamond considers: the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data, the purpose for which Diamond Processes Personal Data and whether Diamond can achieve those purposes through other means, and the applicable legal requirements.
In relation to Thermometry Testing Recipients, Diamond has installed a Wello station, which Processes a photographic image of the Thermometry Testing Recipient. The image is then printed on a photo-ID sticker, which they must wear whilst visiting Diamond. The Wello station then immediately deletes the photographic image.
Any Diamond Associate (specifically including Diamond Users) with a UAS login must update their details on the system as soon as there is a change. Diamond recommends that Diamond Associates review the details at least once a year to ensure that their Personal Data remains up-to-date and accurate.
Where a Diamond Associate has been provided with a Federal Identifier, Diamond will retain the following Personal Data indefinitely:
• UAS person identification;
• Federal Identifier;
• first name; and
• surname.
Status |
User Description |
Personal Data Retained |
Timeline |
Enabled
|
Where a Diamond Associate is registered in UAS and undertakes an annual check and confirmation of Personal Data. |
In addition, they may have chosen to submit an ORCID ID (or have been required to provide this as a principal investigator on a project).
|
Each year Diamond Associates that are registered in UAS will be prompted to log in to it their account to check and confirm their personal details by email. On each annual anniversary of when a Diamond Associate last logged into their UAS account, they will need to check and confirm their details in order to progress in the UAS.
|
Unconfirmed |
Where a Diamond Associate has an active UAS account, but the correctness of their Personal Data is not known. Any record that has not been confirmed for over one year is classed as being unconfirmed. |
In addition, they may have chosen to submit an ORCID ID (or have been required to provide this as a principal investigator on a project).
|
Automatically carried out one year after the user last confirmed their details OR manually carried out if information is known to be incorrect.
|
Reduced |
Where a Diamond Associate is an active Diamond User that can log in to UAS, but some personal details are reduced by Diamond. Persons with a reduced person record can log in to UAS, but will immediately be prompted to confirm their details. Any record that has not been confirmed for over one year, and which has not been active at Diamond for three years, will be reduced by Diamond. The Personal Data is retained for the purposes of reporting and account recovery. |
|
Manually carried out if the Diamond User requests removal of Personal Data from UAS within three years of being active OR automatically carried out if the record has not been confirmed within the last year and the Diamond User has not been active at Diamond within the last three years. |
Archived |
When a Diamond Associate’s Personal Data has been deleted from the UAS and they can no longer log in to the UAS as a result of their Personal Data record not being confirmed within the last year and where the user has not been active at Diamond within the last ten years.
|
|
Manually carried out if the Diamond User requests the removal of their Personal Data from the UAS within seven days. OR automatically carried out if the record has not been confirmed within the last year and the Diamond User has not been active at Diamond within the last ten years. |
Deleted |
Users can no longer log in to UAS and the only information retained is the Federal Identifier. These are typically records that were created in error. |
Personal details will no longer be held in UAS and users will need to be reactivated by UAS or re-register |
|
The Personal Data that Diamond collects is typically necessary in order to provide an effective service and to ensure the health and safety of all Diamond Associates. Where Diamond does not require certain Personal Data, Diamond will make this clear. Where Diamond Associates are not sure on whether the submission of Personal Data is compulsory or mandatory, they can contact legal@diamond.ac.uk.
Where Diamond Associates do not provide certain Personal Data when requested, Diamond may not be able to perform the service that are requested by a Diamond Associate, e.g. enabling a Diamond User to use Diamond’s facilities, sending mail updates about Diamond events, carrying out or completing recruitment or onboarding of prospective Diamond Employees, Diamond Personnel or Diamond Collaborators, or appointing a prospective Diamond Committee Member to a Diamond Committee.
It is important that the Personal Data Diamond holds about a Diamond Associate is accurate and that the Diamond Associate notifies Diamond at the earliest possible opportunity if their Personal Data needs updating.
Diamond may share Personal Data for the purposes described in this privacy notice. Some of these parties may be outside the United Kingdom. Diamond does not sell Personal Data or share it for third party advertising or marketing purposes.
8.1 Inside of Diamond
Diamond may share information in relation to Diamond Associates internally for legitimate and necessary purposes, including Processing purposes outlined above. Some examples of where Diamond may share Personal Data internally, include:
Personal Data is accessible as appropriate to those that need to be involved in managing, administering and monitoring UAS accounts and Diamond User interactions with Diamond and the research that it supports. This includes (but is not limited to) Diamond’s user office (which is responsible for allocating beamtime), Diamond’s Health and Safety team, Diamond’s laboratory services personnel, Diamond’s Finance team, software developers, and peer reviewers.
8.2 Outside of Diamond
For the purposes set out in this privacy notice and in circumstances where it would be legitimate and necessary to do so, Diamond may share Diamond Associate’s Personal Data or a subset of their Personal Data, with a variety of stakeholders, third-party service providers, suppliers, partners, associated organisations and agents. Where possible, Diamond will share information on an anonymised basis. Where Diamond is not able to provide anonymised data, it will only information to the extent that it is necessary and in compliance with Data Protection Laws. Diamond will require that all third parties receiving Personal Data from Diamond: use if for the specified purpose, in accordance with Diamond’s instructions and that they treat it in accordance with Data Protection Laws. Examples of third parties that Diamond may share Personal Data with, include:
We have listed some of the key services carried out by third-party processors here.
Diamond is committed to safeguarding Personal Data and has put in place appropriate security measures to prevent a Diamond Associate’s Personal Data from accidentally being lost, altered, disclosed or used or accessed in an unauthorised way. In addition, Diamond limits access to Personal Data to those Diamond Employees, Diamond Personnel and other third parties who have a business need to know, who will be under a duty of confidentiality and who will only Process Diamond Associate’s Personal Data on instructions from Diamond.
There may be occasions when Diamond transfers Diamond Associate’s Personal Data outside the UK, for example, if Diamond communicates with Diamond Associates using a cloud-based service provider that operates outside the UK. Such transfers will only take place if one of the following applies:
It is important to note that Diamond may display limited Identity Data, Organisation Data and employment history on its website, which will be accessible by internet users (who may or may not be based in the UK).
Automated decision-making takes place when an electronic system uses Personal Data to make decisions without human intervention. Diamond does not expect to make decisions about Diamond Associated based on automated decision-making or profiling unless Diamond has a lawful basis for doing so and it has notified the Diamond Associate.
Where Diamond Processes Personal Data on the basis of a Diamond Associate’s consent, they have the right to withdraw their consent for that Processing at any time. Once Diamond has received notification that a Diamond Associate has withdrawn their consent, Diamond will take steps to ensure that it no longer Processes the Diamond Associate’s Personal Data for the purpose or purposes they originally agreed to as soon as possible, unless Diamond has another legitimate and legal basis for retaining it.
It is also important to highlight that under certain circumstances, by law Diamond Associates have the right to:
If a Diamond Associate wants to review, verify, correct or request erasure of their Personal Data, object to the Processing of their Personal Data, or request that Diamond transfers a copy of their Personal Data to another party, they should contact Diamond’s legal team at legal@diamond.ac.uk.
If a Diamond Associate would like a copy of the Personal Data that Diamond holds about them or if they are a Diamond Employee and they receive such a request from an individual, they should contact legal@diamond.ac.uk with the words "Subject Access Request" in the subject line and include:
Diamond will respond to such request up to one calendar month of the date of request, or in respect of complex requests, Diamond may respond within three calendar months, starting from the day of receipt. By way of example, if a simple Subject Access Request is made on 3 September, Diamond will have until 3 October to respond to the request. In the event of a complex Subject Access Request being made on 3 September, Diamond will have until 3 December to respond.
Where Diamond has requested something from the Diamond Associate, e.g. ID documents, that are required to deal with the Data Subject Access Request, the calendar month will start on the day Diamond receives the necessary information or documents. Where the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day. Therefore, if a simple Data Subject Access Request is received on 31 July and 31 August is a bank holiday, Saturday or Sunday, then Diamond will need to respond to the request on the next working day.
Diamond Associates will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, Diamond may charge a reasonable fee if the request for access is clearly unfounded or excessive, or Diamond may refuse to comply with the request. Diamond may also request a fee from the Diamond Associate if they request further copies of their information following a Subject Access Request.
Diamond may need to request specific information from the Diamond Associate to help it confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
Diamond understands that there are differences amongst Diamond Associates in terms of the protected characteristics contained within the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage & civil partnerships, pregnancy & maternity, race, religion or belief, sex (gender) and/or sexual orientation). Diamond therefore aims to deliver policies, documents and services which are efficient and effective, accessible to all, and which meet Diamond Associate’s different needs. Diamond Associates that need help to understand this document or require any appropriate support should contact Diamond’s Human Resources team (hr@diamond.ac.uk).
If any Diamond Associates have any questions about this privacy notice, or Diamond’s privacy practices they should contact Diamond’s Data Protection Officer. Diamond’s Data Protection Officer is Paul Jeffreys and he can be contacted at paul.jeffreys@diamond.ac.uk.
This privacy notice should be read in conjunction with Diamond’s Cookie Policy and Data Protection Policy.
In order to ensure that Diamond’s privacy notice is up to date and accurate, Diamond may make changes to it from time to time. All Diamond Associates should regularly check this notice for updates. This privacy notice was last updated on 8 March 2024.
For the purposes of this notice, the following definitions shall apply:
Contact Data: billing address, delivery address, email address(es), telephone number(s) next of kin name and contact details or details of another emergency contact.
Covid-19 Test Recipient: any Diamond Associate (or other person) that physically visits Diamond and partakes in Diamond's lateral flow or polymerase chain reaction testing or that has taken a Covid-19 test externally and have notified Diamond of a positive test result.
Data: information, whether stored electronically, or in paper-based filing systems.
Data Controllers: the people who, or organisations which determine the manner in which any Personal Data is Processed. They are responsible for establishing practices and policies to ensure compliance with Data Protection Laws.
Data Processors: any person or organisation that is not a Data User (or other employee of a Data Controller) that Processes Data on Diamond’s behalf and in accordance with our instructions (for example, a supplier which handles Data on Diamond’s behalf).
Data Protection Laws: means the General Data Protection Regulation 2016 (Regulation (EU) 2016/679) (the “GDPR”), the Data Protection Act 2018 and any laws that replace or amend any of these, together with all other applicable law, regulations, guidance and codes of conduct relating to the Processing of Personal Data, Data, cyber security and privacy, including any guidance and codes of practice issued by the Information Commissioner’s Office or any relevant supervisory authority, the Article 29 Working Party, or the European Data Protection Board from time to time.
Data Protection Officer: Paul Jeffreys (contactable at paul.jeffreys@diamond.ac.uk).
Data Subject Access Request: a request by a Data Subject for the disclosure of their Personal Data.
Data Subjects: all living individuals about whom Diamond holds Personal Data on.
Data Users: Diamond Employees and Diamond Personnel whose work involves Processing Personal Data.
Diamond: Diamond Light Source Limited, a company incorporated and registered in England and Wales, with company number 4375679 and with registered office at Diamond House, Harwell Science & Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom.
Diamond Associate: Diamond Visitor, historic Diamond Visitor, Diamond User, historic Diamond User, Diamond Employee, prospective Diamond Employee, historic Diamond Employee, Diamond Personnel, prospective Diamond Personnel, historic Diamond Personnel, Diamond Collaborator, prospective Diamond Collaborator, historic Diamond Collaborator, Diamond Committee Member, historic Diamond Committee Member, Diamond Peer Reviewer, historic Diamond Peer Reviewer, Thermometry Test Recipient or Covid-19 Test Recipient.
Diamond Collaborator: Diamond Personnel that collaborates with Diamond.
Diamond Committee: the committees at Diamond, being: the committees coordinated by Diamond, such as the Scientific Advisory Committee and the Audit Risk and Finance Committee or as these committees may be varied from time to time.
Diamond Committee Member: a member of a Diamond Committee.
Diamond Employee: any person working for Diamond under a contract of employment.
Diamond Personnel: any person or organisation that works with, or for Diamond, or that is an agent, agency worker, intern, contractor, subcontractor, appointee, secondee, student (including schools/colleges work experience students), third-party representative, fellow, volunteer, external consultant, business partner, supplier, sponsor, director or office holder of Diamond, a Diamond Peer Reviewer, Diamond Committee Member, Diamond User or Diamond Collaborator and who is not a Diamond Employee.
Diamond Peer Reviewer: a member of a Diamond Peer Review Panel.
Diamond Peer Review Panel: a panel convened for the purpose of reviewing a Diamond User’s proposal to use Diamond’s facilities and that will accordingly approve or reject the proposal.
Diamond User, Diamond User's and Diamond Users': any person that uses or applies to use (whether directly or indirectly) or any affiliates of the person that made the application to use Diamond’s facilities and who may have access to UAS.
Diamond Visitor: any person that physically or virtually visits Diamond (including any person that partakes in any workshop, event or tour (whether online or in person) or any person that visits or otherwise uses Diamond’s website from time to time.
Federated Identifier: the federal identifier provided by Diamond to a Diamond User, Diamond Employee or Diamond Personnel.
Financial Data: bank account, payment card details, tax status information and any HMRC information as required.
Identity Data: first name(s), last name(s), maiden name(s), username, or similar identifier, marital status, title, date of birth, national insurance number and gender.
Marketing and Communications Data: Diamond Associates preferences in receiving marketing and communication from Diamond and Diamond’s third parties.
Organisation Data: details of the organisation that a Diamond Associate represents, including the organisation’s name, address, the Diamond Associate’s position within the organisation and any contact details for the Diamond Associate at the organisation, e.g. organisation specific email address or contact number.
Personal Data: Data relating to a living natural person who can be identified from that Data such as certain types of Identity Data, Contact Data, Financial Data, Organisation Data, Transaction Data, Technical Data, Profile Data, Usage Data, or Marketing and Communications Data, which may or may not include Special Category Personal Data and does not included anonymised information or aggregated Data as this does not directly or indirectly reveal an individual’s identity.
Process, Processed, Processing, or Processes: any activity which involves the use of Data. It includes obtaining, recording or holding Data, or carrying out any operation on the Data, including organising, amending, retrieving, using, disclosing or destroying it or transferring Data to third parties.
Profile Data: a Diamond Associate’s username or password, details of any purchases or orders made by a Diamond Associate and any survey responses or details of any interests, preferences or feedback that have been provided by a Diamond Associate.
Special Category Personal Data: Personal Data that needs more protection because it is sensitive and relates to an identified or identifiable individual that falls within special categories, such as racial or Data that relates to: ethnic origin, political views or opinions, religious or philosophical beliefs, health, sex life, sexual orientation, genetics, trade union membership and biometric Data when used for identification purposes.
Surveillance Systems: Diamond’s surveillance systems.
Technical Data: internet protocol address, a Diamond Associates login details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices the Diamond Associate uses on Diamond’s website.
Thermometry Test Recipient: a person that received a thermometry test at Diamond.
Transaction Data: details about payment to and from Diamond Associates and other details of services Diamond Associates have purchased from Diamond.
UAS: Diamond’s User Administration System
Usage Data: information about how Diamond Associates use Diamond’s website, and any Diamond products and services.
Please, access a printable version of this Privacy Policy - Published 04/12/2023.
Diamond Light Source is the UK's national synchrotron science facility, located at the Harwell Science and Innovation Campus in Oxfordshire.
Copyright © 2022 Diamond Light Source
Diamond Light Source Ltd
Diamond House
Harwell Science & Innovation Campus
Didcot
Oxfordshire
OX11 0DE
Diamond Light Source® and the Diamond logo are registered trademarks of Diamond Light Source Ltd
Registered in England and Wales at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom. Company number: 4375679. VAT number: 287 461 957. Economic Operators Registration and Identification (EORI) number: GB287461957003.